On Friday 14 March 2003 9:14 pm, Ahbaid Gaffoor wrote:

Thank you Anders.

Hooray, I use Apache on SuSE :)

I added the following entry to my Apache config to ignore it, I found this aftre digging on google a bit...

And yes thank you, it was Code Red...

SetEnvIfNoCase Request_URI "^/default.ida" nolog Redirect gone /default.ida

You also can (err, perhaps "should") notify the originator and/or his ISP, if you can figure out who they are. If nothing else, you can claim this is "abuse" [as in DoS, sucking up your resources, or whatever...] There are some perl scripts out there that does most of the work for this, i.e., looks up the offending server to find which ISP block it belongs to, sends e-mails, etc. The other similar entry you're likely to see are requests for the script "cmd.exe", usually with a parameter of "/c+dir" -- there are about 15-20 different locations that will be tried, from the simplest (/scripts) to some rather complex attempts and getting around the MSDOS file system (such as /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir this was taken straight from my own log file ;) ) As it turns out, I had been getting these "cmd.exe" hits since the beginning of the month, mostly from one particular site. I figured out that the perpetrator was within my own ISP [pacbell] as a "traceroute" showed that the last hop before it went to "cust-rtr-<numbers>" was indeed a pacbell DSL line in northern california. So I emailed pacbell's support & abuse departments, and a day or two later these stopped -- only to be replaced by "default.ida?xxxxxxx...." from the same location :( [I suspect PB went ahead and told this guy, "you have an infected server", so he re-installed it and patched it for the cmd.exe problem, but in so doing, undid any patch he had covering the "default.ida" problem...]

...

The worst that happens to your apache server is that your logs could grow large.

fortunately, the volume of such is indeed currently fairly low -- 600+ hits for the month -- you can see this for yourself since I run awstats (take the "net" link from my homepage, scroll to the bottom, and click on the "404" hyperlink in the "error code" table) -- Yet another Blog: http://osnut.homelinux.net

----- Original Message ----- From: "Anders Johansson" To: Sent: Saturday, March 15, 2003 4:51 AM Subject: Re: [SLE] [OT] Apache Log - Strange Entry

On Saturday 15 March 2003 05:42, Ahbaid Gaffoor wrote:

...

Does anyone have any idea as to what this is? Is it dangerous? How do I protect my site against it?

Thanks,

Ahbaid.

Entry begins: ------------- 12.207.13.41 - - [11/Mar/2003:18:08:40 -0600] "GET

/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

...

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u 7

...

801%u90 -------------- Entry Ends

I forget if this is Code Red or Nimda, but it's one of the two. It's only dangerous if you're running an (unpatched) IIS server. The worst that happens to your apache server is that your logs could grow large.

-- Another plus for Linux :)

__________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com